This attack is possible because of a flaw in MD5. MD5 is a hashing algorithm; each unique file has a unique hash. In 2004, a team of Chinese researchers demonstrated creating two different files that had the same MD5 hash. In 2007, another team showed theoretical attacks that took advantage of these collisions. The team focused on SSL certificates signed with MD5 for their exploit.

The first step was doing some broad scans to see what certificate authorities (CA) were issuing MD5 signed certs. They collected 30K certs from Firefox trusted CAs. 9K of them were MD5 signed. 97% of those came from RapidSSL.

Having selected their target, the team needed to generate their rogue certificate to transfer the signature to. They employed the processing power of 200 Playstation 3s to get the job done. For this task, it’s the equivalent of 8000 standard CPU cores or $20K of Amazon EC2 time. The task takes ~1-2 days to calculate. The tricky part was knowing the content of the certificate that would be issued by RapidSSL. They needed to predict two variables: the serial number and the timestamp. RapidSSL’s serial numbers were all sequential. From testing, they knew that RapidSSL would always sign six seconds after the order was acknowledged. Knowing these two facts they were able to generate a certificate in advance and then purchase the exact certificate they wanted. They’d purchase certificates to advance the serial number and then buy on the exact time they calculated.

The cert was issued to their particular domain, but since they controlled the content, they changed the flags to make themselves an intermediate certificate authority. That gave them authority to issue any certificate they wanted. All of these ‘valid’ certs were signed using SHA-1.

What a waste of a PS3! Dont people do normal things like play with their PS3 anymore? Oh I know what I’ll do I’ll go out and buy 200 PS3’s because I cant afford a CRAY-1 Supercomputer, then I’ll waste hours of time trying to develop a flaw in rapidshares SSL certificates because hacking into RapidSSL is so k-rad and uber pwn.

actually its things like this that makes gaming on a ps3 pointless. CRAY-‘s are not the only super computer and if im correct that particular type of super computer is rather aged at the time of your post. Dont mean to say i told ya so but some one needed to

The threat is very real because a foundational break in the MD5 algorithm being used to falsify a certificate is a legitimate break in SSL (an entire protocol).

Still, it’s a limited break in that the number of potential collisions is limited. That doesn’t make me any more comfortable about it.

This does make me wonder about SHA1. The original SHA algorithm was made available by the NSA and was replaced with a slight alteration to it that the NSA claimed made it more secure. They didn’t elaborate on it, though.

Needless to say, selecting the SHA1 algorithm for certificate signing appears to be the intelligent way to go for now.

::Points at the post above::
Whatever happened to the comment monitoring system? I believe it was just a few guys looking over things and making sure it was not stupid crap, but …

Anyways, yes, very interesting. I suppose I should be happy that they released this as they did. That firefox is blacklisting them etc. However I can’t help wishing that they had just started signing certificates for anyone who wants them with this. Allowing all sorts of fun.

this note is misleading and causing misunderstandings, ssl has not been broken (not the protocol as a whole), though it’s something serious… and this doesn’t mean the credit cards data (or any other information) is “no longer safe”. fortunately main players in the scenario seem to make the right moves to try to solve this problem

agreed with alexsfox, the PS3 is known to be a rounded powerful system when used in clusters. It was a while back, but I remember some College professor/students got 8 together and made a 64-core system, quite useful really.

To the people asking about the cost: I guess if you’re living in mom and dads basement you don’t have this cash. If you’re an adult, you can maybe sell your car, no? And for mafia criminal, 80k is just change.

I think it is a bit misleading to say whether a hash function is broken or not. Pick any hash algorithm and you will find all of them will produce collisions at some point. It’s a matter of these algorithms having weak or strong resistance to collisions, that’s all. MD5 was found to be weaker than expected. Oh well, life goes on.

I’m still waiting to hear how MD5 was broken? Everyone should know that MD5 allows for collisions. This shouldn’t shock anyone working with it. This was part of the design. It was never meant to be an encryption, only a hash that was good enough to quickly figure that you had the right content.

Why should they work for Stanford.
Doesn’t the Stanford has already enough money to buy enough PC’s or PS3’s ?
I hate when they use MY PC or PS3 without telling me what is this about.
I hate this whole GRAND THEFT PROTEIN Project or how else you call.. folding@home etc.
The bad is Stanford could use your machine for something that it might not be that good.
I AM NOT SAYING OR ASSUMING THAT THEY DO.. but in the end WHO would ask you or who would tell you anyway.

How long until our current method of navigating the web seems as quaint as picking up the phone and asking the operator (whose name is Linda; she’s our neighbor) to connect us with Johnny down at the general store?

Hash algorithms are supposed to be one-way. That is, you shouldn’t be able to generate a plaintext that will produce a desired hash any faster than random guessing. It’s been shown that this is possible with MD5, and even possible with selected plaintext and only small modifications. Makes it completely useless for cryptographic purposes.

Research on this subject has been going on for years now, since 2005 I believe, and the theory has been proved many times. This time they made it into a practical attack and all of a sudden it’s world news.

The cluster used has been around for over a year, and has built slightly after Dr. Mueler @ NC State made the cluster with 8 of them. Besides generating MD5, it’s also been used to predict the outcome of the presedential elections back in 2007 (I forget if they were right). More info here: http://www.win.tue.nl/~bdeweger/PS3Lab/

The fact they managed to find a CA cert that even used MD5, and that this cert’s auto signing was so predictable as to predict possible hashes is of course serious business, but not that big a deal on an internet-wide scale.

The fact that it’s only one Cert, but that they call it BREAKING THE INTERNET is just ridiculous and costs them all kudos they might have gotten.

md5 was not used to predict the elections, they were only showing how feasible is to create several different files but all with the same hash value (finding collisions), so they were using the hash value as prove of the prediction, but since all the files with the different names had the same hash, they were playing on the safe side.

i agree with johny a that they didn’t break the internet at wide scale, though an important test, they showed us how people in IT sometimes can be so careless in implementing technologies by using flawed algorithms and bad practices

So *this* is who bought all the PS3s! I was wondering who the owner(s) was/were. you’ve gotta appreciate the irony that games developers still cannot get to grips with the hardware but you can do this as well as Folding@home. Maybe next time around, Sony might want to release a games console instead of a flying car…

So, this took 200 ps3s, one of the most powerful commercial computers on the market to crack the encryption. That means that it is pretty secure for modern standards, but in 5 years, the computing power of 200 ps3s will be a little more accessible and the system will be broken.

A system that can be broken in 1-2 days by 200 PS3s is not “pretty secure”, it is extremely insecure.

A system is considered as “pretty secure” if the only practically feasible known attack is brute force attack, and if the key (or in this case, the hash) is long enough to resist months or even years to a brute force attack of a cluster of tens of thousands of computers.